Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1823933

Summary: Make default SCC manifests create-only by CVO
Product: OpenShift Container Platform Reporter: Abu Kashem <akashem>
Component: apiserver-authAssignee: Abu Kashem <akashem>
Status: CLOSED ERRATA QA Contact: scheng
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, mfojtik
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1823934 (view as bug list) Environment:
Last Closed: 2020-07-13 17:27:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1823934    

Description Abu Kashem 2020-04-14 19:50:42 UTC 
Description of problem:
In OpenShift 4.4, the default SCCs are managed by CVO. This means any changes to it are stomped by CVO.

We have customers who change the default SCCs for their workload. when a cluster upgrades from 4.3 -> 4.4, user's changes to the default SCCs will be stomped by CVO and customer workload will face outages consequently.
  

Version-Release number of selected component (if applicable):
OpenShift 4.4


How reproducible:
Always

Steps to Reproduce:
1. Install OpenShift 4.3

2. Change the default SCC 
    oc patch scc privileged --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'
    oc patch scc anyuid --type json -p '[{"op": "add", "path": "/users/-", "value": "kubeadmin"}]'

3. do a 4.3 -> 4.4 upgrade


Actual results:
Changes to the default SCCs will be lost as a result of the upgrade.

Expected results:
The upgrade should retain the changes made by the user

Additional info:
- https://bugzilla.redhat.com/show_bug.cgi?id=1823921
Comment 1 Abu Kashem 2020-04-16 16:45:12 UTC 
Waiting for the PR in master - https://github.com/openshift/cluster-kube-apiserver-operator/pull/831 to merge. Then it will be cherry-picked into 4.4.
Comment 4 Abu Kashem 2020-04-17 17:41:59 UTC 
once the back port to 4.4 https://github.com/openshift/cluster-kube-apiserver-operator/pull/836 merges I will revert it to ON_QA. I did not know of any other way to convince CI to allow my PR to merge.
Comment 5 Abu Kashem 2020-04-17 19:57:29 UTC 
My PR has merged, reverting it back to ON_QA.
Comment 8 errata-xmlrpc 2020-07-13 17:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409